rule CVE_2025_21817_Netfilter_InfoLeak
{
    meta:
        cve         = "CVE-2025-21817"
        description = "Linux kernel netfilter out-of-bounds read info leak"
        author      = "汪娅辰（学生 STSS 贡献）"
        date        = "2025-11-28"
        severity    = "Medium"
        category    = "kernel"

    strings:
        $s1 = "nf_hook_slow" ascii
        $s2 = "xt_find_table_lock" ascii
        $s3 = "nf_register_net_hook" ascii
        $s4 = "skb_copy_bits" ascii
        $hex1 = { 6E 66 5F 68 6F 6F 6B }

    condition:
        3 of ($s*) or ($hex1)
}

Signed-off-by: 汪娅辰 <2301_80000730@noreply.gitcode.com>